Juniper Networks has issued an update after finding hardcoded credentials had been left in some of its datacenter switches. The exposed login, designated CVE-2019-0034, was found in the Junos Network Agent, a software tool used to manage sensors and other devices that monitor network performance. Specifically, hardcoded …
Sometimes developers will mask the static code analysis results (mark it inapplicable or something) so it avoids the reviewer's inspection. Sometimes the code is just not analyzed. Sometimes the software is supposed to be just a 'tool' and not considered important. Sometimes developers don't understand what it means. Sometimes the managers override the engineers. Also, peer code reviews can get a bit chummy.
Mostly, when you see one such mistake, look for more of the same.